[chef] Re: Opscode Upgrade to Embedded Ruby

[Peter Loron < >]

Yay! This will be great for us! Been pulling my hair out waiting for the Windows boxes...

-Pete

On Jun 27, 2013, at 7:45 PM, Benjamin Bytheway < "> > wrote:

I put a pull request in that was merged for 11.6 to bump the omnibus installers to 1.9.3-p429.  Makes a huge difference in speed, especially on windows.

-Ben

On Thu, Jun 27, 2013 at 7:56 PM, Tommy Fotak < " target="_blank"> > wrote:

To be clear it's not so much the vulnerability that concerns me, it's more about keeping the Ruby up to date in general and how that works. For example will the next release be ruby 2.0.0 or still 1.9.3?

Daniel Condomitti wrote:

Are there plans to change that? I would expect that Chef server be one
of the most critical services to ensure you're not being MITM'ed;
especially when using hosted chef.

On Thursday, June 27, 2013 at 6:38 PM, Noah Kantrowitz wrote:

On Jun 27, 2013, at 6:32 PM, Tommy Fotak < " target="_blank">

<mailto: " target="_blank"> >> wrote:

Hi,

What is the policy of Chef releases with regard to Ruby releases?

For example there are ruby 1.9.3-p448 and 2.0.0-p247 releases that
fix an SSL vulnerability, will Opscode make an 11.4.4 release with a
new embedded Ruby?

Are we better off using the Chef gem in our managed Rubies over the
Omnibus?

The relevant bug fix just blocks a potential issue in how Ruby
verifies SSL certificates. Chef sets :verify_none by default, so
there is technically no risk of hitting the bug :-) (the astute
reader will note that this is because there is never any validation)

--Noah